Websense SQL Queries. David Buyer June 2009 Be281@bfn.org



Similar documents
INTRODUCTION: SQL SERVER ACCESS / LOGIN ACCOUNT INFO:

SerialMailer Manual. For SerialMailer 7.2. Copyright Falko Axmann. All rights reserved.

MS ACCESS DATABASE DATA TYPES

Resources You can find more resources for Sync & Save at our support site:

A Brief Introduction to MySQL

Sophos Enterprise Console Auditing user guide. Product version: 5.2

Summary. How-To: Active Directory Integration. April, 2006

Important Tips when using Ad Hoc

How to Copy A SQL Database SQL Server Express (Making a History Company)

Exposed Database( SQL Server) Error messages Delicious food for Hackers

Project Zip Code. Version CUNA s Powerful Grassroots Program. User Manual. Copyright 2012, All Rights Reserved

SQL Server An Overview

****Also, if you have done previous promotions and have multiple mailing lists, make sure you select the most recent one.

Connect to MySQL or Microsoft SQL Server using R

Microsoft SQL connection to Sysmac NJ Quick Start Guide

Intro to Databases. ACM Webmonkeys 2011

User Manual. Crystal Report Integration

Setting up Auto Import/Export for Version 7

Tenable for CyberArk

CounterPoint SQL and Magento ecommerce Interface

Ad Hoc Reporting: Data Export

From Data Modeling to Data Dictionary Written Date : January 20, 2014

MyOra 3.0. User Guide. SQL Tool for Oracle. Jayam Systems, LLC

Sending on Blue Hornet

SonicWALL GMS Custom Reports

Table of Contents. PBX Integration and API Guide - SmileTiger TeleMeeting Server 2011

Dynamic DNS How-To Guide

Introduction This document s purpose is to define Microsoft SQL server database design standards.

How To Use The Correlog With The Cpl Powerpoint Powerpoint Cpl.Org Powerpoint.Org (Powerpoint) Powerpoint (Powerplst) And Powerpoint 2 (Powerstation) (Powerpoints) (Operations

Sage Abra Timesheet. Quick Start Guide

A table is a collection of related data entries and it consists of columns and rows.

How to configure the DBxtra Report Web Service on IIS (Internet Information Server)

MS Access: Advanced Tables and Queries. Lesson Notes Author: Pamela Schmidt

FreeRADIUS server. Defining clients Access Points and RADIUS servers

Platts M2MS Market Data IMSFTP Channel Delivery Specification

Access Queries (Office 2003)

How to Create and Send a Froogle Data Feed

SFTP Batch Processor. Version 1.0

THUM - Temperature Humidity USB Monitor

In This Lecture. Security and Integrity. Database Security. DBMS Security Support. Privileges in SQL. Permissions and Privilege.

Hubcase for Salesforce Installation and Configuration Guide

Storing SpamAssassin User Data in a SQL Database Michael Parker. [ Start Slide ] Welcome, thanks for coming out today.

quick start guide A Quick Start Guide inflow Support GET STARTED WITH INFLOW

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Technology Foundations. Conan C. Albrecht, Ph.D.

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

Uploading Ad Cost, Clicks and Impressions to Google Analytics

FmPro Migrator - FileMaker to SQL Server

User Manual - Sales Lead Tracking Software

Websense Certified Engineer Web Security Professional Examination Specification

SBCH Medicaid Verification System File Exchange

v7.1 SP1 Release Notes

Tool for Automated Provisioning System (TAPS) Version 1.2 (1027)

Module 9 Ad Hoc Queries

You must click the refresh button of a scheduled report in order to view the updated status.

Web Application Disassembly with ODBC Error Messages By David Litchfield Director of Security

Importing Xerox LAN Fax Phonebook Data from Microsoft Outlook

HP A-IMC Firewall Manager

Adobe Connect LMS Integration for Blackboard Learn 9

Contents WEKA Microsoft SQL Database

XML Export Interface. IPS Light. 2 April Contact

SQL Server Table Design - Best Practices

MyOra 3.5. User Guide. SQL Tool for Oracle. Kris Murthy

Telemanagement Installation Checklist

HTSQL is a comprehensive navigational query language for relational databases.

Best Practices in SQL Programming. Madhivanan

Interactive Reporting er Manual

The Power Loader GUI

1. To start Installation: To install the reporting tool, copy the entire contents of the zip file to a directory of your choice. Run the exe.

Using Form Tools (admin)

Configuration Information

NEW WEBMAIL QUESTIONS & INFO

Time Zone Sensitive. Query Based Dialing. SPD PRO with MySQL allows you to dial by customized query such as area code, zip code, age, and much more!

Package sjdbc. R topics documented: February 20, 2015

Create Mailing Labels from an Electronic File

Transaction Inquiries

DataLogger Kepware, Inc.

Eliac Call Recording - Configurator Guide. Eliac. Call Recording System Ver. 2.x.

Central Administration User Guide

Data Transfer Management with esync 1.5

Webapps Vulnerability Report

How to Backup Your Eclipse.Net Database Automatically. To clearly document a specific automatic SQL database backup method for Eclipse.net.

Electronic Data Interchange (EDI) and Flat Files

Monitoring System Status

Querying Databases Using the DB Query and JDBC Query Nodes

v6.1 Websense Enterprise Reporting Administrator s Guide

Using SQL Server Management Studio

Mixed Authentication Setup

Contents CHAPTER 1 IMail Utilities

Accounting Manager. User Guide A31003-P1030-U

Product: DQ Order Manager Release Notes

Installation & Configuration Guide User Provisioning Service 2.0

Capturing & Processing Incoming s

How To Set Up A Xerox Econcierge Powered By Xerx Account

RJS Monitor. User Guide RJS Software Systems Document Version

Transcription:

Websense SQL Queries David Buyer June 2009 Be281@bfn.org

Introduction The SQL queries that are listed here I have been using for a number of years now. I use them almost exclusively as an alternative to the Websense Explorer and Reporter which are limited. Hope you can get some use out of them. These queries were written and used with a bunch of different versions of Websense Enterprise. They haven t modified their database in awhile so these should still work until they decide to modify it. They work in a Microsoft SQL Server 2000 and 2005. That said, if you want to see what Websense Explorer is doing then in order to see some of the queries that Websense uses you can set the value "&gubed=1" (without the quotes) in the Websense Exporter after running a report to get all the debug and SQL info. It should be appended to the end of the URL and takes some practice to get it right. You also have to filter out all the extra "stuff" from the code to actually get something you can build on. The Websense database is not too complex but complex enough that it will take some work to understand and be able to code queries for. Just take your time and start hacking at it. If you come up with some other useful queries please let me know and I'll add them to this doc and give you credit.

Code 1 /*Websense uses the number of unique IP addresses within a 24 hour period for its license count. Run this for a 24 hour period to check on that count. If you have been getting those pesky "exceeded license count" emails then run this to see how many licenses you will need to purchase. You can also use their ConsoleClient but this query is a more accurate measure.*/ SELECT COUNT (DISTINCT SOURCE_IP) AS IPs FROM INCOMING_VIEW --set start and end dates here WHERE (DATE_TIME > {d 'YYYY-MM-DD'}) (DATE_TIME < {d 'YYYY-MM-DD'})

Code 2 /*The Websense Explorer and Reporter are "ok" tools if you need to run a one user report but if you need to run a report on multiple users then it simply can't do it. Sure you could run multiple reports for each user but there just isn t enough time in the day. Use this query to run a report on multiple user names. If you only have one user you can still use this query. Just change the "in" parameter to "=" where noted*/ SELECT INCOMING.DATE_TIME as 'Date and Time', USER_NAMES.USER_FULL_NAME as 'Full Name', USER_NAMES.USER_LOGIN_NAME as 'Login ID', PROTOCOLS.NAME as 'Protocol', INCOMING.PORT as 'Port', INCOMING.FULL_URL as 'URL', CATEGORY.NAME as 'Category' FROM INCOMING (NOLOCK), USER_NAMES (NOLOCK), PROTOCOLS (NOLOCK), CATEGORY (NOLOCK) WHERE INCOMING.USER_ID = USER_NAMES.USER_ID INCOMING.PROTOCOL_ID = PROTOCOLS.ID INCOMING.CATEGORY = CATEGORY.CATEGORY --insert the user ids here --if using just one user then use the equal sign instead of the 'in' parameter USER_NAMES.USER_LOGIN_NAME in ( 'user1', 'user2', 'user3' ) --set start date here INCOMING.date_time BETWEEN convert (datetime, 'YYYY-MM-DD 00:00:00', 120) --set end date here convert (datetime, 'YYYY-MM-DD 23:59:59', 120) ORDER BY USER_NAMES.USER_FULL_NAME ASC, convert (varchar(10),incoming.date_time, 120) ASC, convert (varchar(10),incoming.date_time, 108) ASC

Code 3 /*This query is similar to the multiple users query but instead of multiple users it queries on multiple SOURCE IP addresses. Again, the Explorer and Reporter are good for single items but can't run reports on multiple sources. Use this query for this purpose. If you only have one IP you can still use this query. Just change the "in" parameter to "=" where noted*/ SELECT INCOMING.DATE_TIME as 'Date and Time', dbo.inttoip(incoming.source_ip_int) as 'IP Address', USER_NAMES.USER_FULL_NAME as 'Full Name', USER_NAMES.USER_LOGIN_NAME as 'Login ID', PROTOCOLS.NAME as 'Protocol', INCOMING.PORT as 'Port', INCOMING.FULL_URL as 'URL', CATEGORY.NAME as 'Category', DISPOSITION.DESCRIPTION as 'Disposition' FROM INCOMING (NOLOCK), USER_NAMES (NOLOCK), PROTOCOLS (NOLOCK), CATEGORY (NOLOCK), DISPOSITION (NOLOCK) WHERE INCOMING.USER_ID = USER_NAMES.USER_ID INCOMING.PROTOCOL_ID = PROTOCOLS.ID INCOMING.CATEGORY = CATEGORY.CATEGORY INCOMING.DISPOSITION_CODE = DISPOSITION.DISPOSITION_CODE --insert the ints of the IP here --if using just one IP then use the equal sign instead of the 'in' parameter INCOMING.SOURCE_IP_INT in ( '128564845', '138564845', '148503534' ) --set start date here INCOMING.date_time BETWEEN convert (datetime, 'YYYY-MM-DD 00:00:00', 120) --set end date here convert (datetime, 'YYYY-MM-DD 23:59:59', 120) ORDER BY dbo.inttoip(incoming.source_ip_int) ASC, USER_NAMES.USER_FULL_NAME ASC, convert (varchar(10),incoming.date_time, 120) ASC, convert (varchar(10),incoming.date_time, 108) ASC

Code 4 /*This query is again similar to the multiple users query but instead of multiple users it queries on multiple DESTINATION IP addresses. If you only have one IP you can still use this query. Just change the "in" parameter to "=" where noted*/ SELECT INCOMING.DATE_TIME as 'Date and Time', dbo.inttoip(incoming.source_ip_int) as 'IP Address', USER_NAMES.USER_FULL_NAME as 'Full Name', USER_NAMES.USER_LOGIN_NAME as 'Login ID', PROTOCOLS.NAME as 'Protocol', INCOMING.PORT as 'Port', INCOMING.FULL_URL as 'URL', CATEGORY.NAME as 'Category', DISPOSITION.DESCRIPTION as 'Disposition' FROM INCOMING (NOLOCK), USER_NAMES (NOLOCK), PROTOCOLS (NOLOCK), CATEGORY (NOLOCK), DISPOSITION (NOLOCK) WHERE INCOMING.USER_ID = USER_NAMES.USER_ID INCOMING.PROTOCOL_ID = PROTOCOLS.ID INCOMING.CATEGORY = CATEGORY.CATEGORY INCOMING.DISPOSITION_CODE = DISPOSITION.DISPOSITION_CODE --insert the integer of the destination IP here --if using just one IP then use the equal sign instead of the 'in' parameter INCOMING.DESTINATION_IP_INT in ( '3423467676', '3494790234', '3494790467', '1266584565' ) --set start date here INCOMING.date_time BETWEEN convert (datetime, 'YYYY-MM-DD 00:00:00', 120) --set end date here convert (datetime, 'YYYY-MM-DD 23:59:59', 120) ORDER BY dbo.inttoip(incoming.source_ip_int) ASC, USER_NAMES.USER_FULL_NAME ASC, convert (varchar(10),incoming.date_time, 120) ASC, convert (varchar(10),incoming.date_time, 108) ASC

Code 5 /*Websense doesn't store IP addresses as IP addresses. It stores them in converted integer form after performing a simple algorithm to them. In order to use the DESTINATION and SOURCE queries you must first convert IP addresses into integer form. Use this query to convert IP addresses to their intger values that Websense recognizes. You can use multiple IP addresses or just one.*/ Declare @strip varchar(20) Declare @strallip varchar(255) Declare @result1 bigint Declare @octet1 bigint Declare @octet2 bigint Declare @octet3 bigint Declare @octet4 bigint Declare @ci1 int Declare @ci2 int Declare @ci3 int Declare @ci4 int Declare @pos int --put IP's here Set @strallip = '10.10.20.30, 10.10.20.31, 10.10.20.32, 10.10.20.33, 10.10.20.34, 10.10.20.35, 10.10.20.36' --gets rid of the newline if using column of IP's, I hate when lines go beyond the screen so I use columns set @strallip = replace(@strallip,char(13)+char(10),'') IF substring(@strallip, LEN(@strAllIp)-1,1)<>',' SET @strallip = @strallip + ',' --add a comma to the end if it isn't there SET @pos = 0 WHILE charindex(',',@strallip) > 0 BEGIN SET @strip = substring(@strallip,0, charindex(',',@strallip)) --removes the first item from the list SET @strallip = substring(@strallip, charindex(',',@strallip)+1, LEN(@strAllIp) - @pos) select @ci1 = cast((charindex('.', @strip)) as bigint) select @octet1 = cast((substring(@strip, 0, @ci1)) as bigint) select @ci2 = cast((charindex('.', @strip, @ci1+1)) as bigint) select @octet2 = cast((substring(@strip, @ci1+1, (@ci2-@ci1-1))) as bigint) select @ci3 = cast((charindex('.', @strip, @ci2+1)) as bigint)

select @octet3 = cast((substring(@strip, @ci2+1, (@ci3-@ci2-1))) as bigint) select @ci4 = len(@strip) - @ci3 select @octet4 = cast((right(@strip, @ci4)) as bigint) END select @result1 = (@octet1 * 16777216) + (@octet2 * 65536) + (@octet3 * 256) + @octet4 print @result1

Conclusion Once they are run you can save the query results as a TAB delimited csv file and then import that into an Access database. The table structure is as follows: For the User based queries: For the IP based queries: Once you have the data in the database you can then run some nice pretty reports. I have created some Crystal Reports that format all this data and make a nice report. I know there is probably a way to run the SQL code right from Crystal Reports so you can skip all the import stuff but I don t know Crystal Reports that well to pull it off. If you have a way to do it let me know. If you want the Crystal Reports that I have created email me at be281@bfn.org and Ill send them to you. Here is generally what the Crystal Reports look like (real name and user name have been altered for obvious reasons).:

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information